CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4481 – Gutenberg Blocks with AI by Kadence WP <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link
https://notcve.org/view.php?id=CVE-2024-4481
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Gutenberg Blocks with AI by Kadence WP para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del atributo 'enlace' de los bloques del complemento en todas las versiones hasta la 3.2.36 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3083616/kadence-blocks/trunk/includes/blocks/class-kadence-blocks-advanced-heading-block.php https://www.wordfence.com/threat-intel/vulnerabilities/id/ad0e4292-d890-499b-b70a-ed638d5b8ee9?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2273 – Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.34 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-2273
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.2.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Gutenberg Blocks de Kadence Blocks – Page Builder Features para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de varios parámetros en todas las versiones hasta la 3.2.34 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de colaborador o superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3075158%40kadence-blocks%2Ftrunk&old=3068562%40kadence-blocks%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e7fe482e-a4e8-411c-97a4-a32ccf5b3682?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4034 – Virtue <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author
https://notcve.org/view.php?id=CVE-2024-4034
The Virtue theme for WordPress is vulnerable to Stored Cross-Site Scripting via a Post Author's name in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping when the latest posts feature is enabled on the homepage. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El tema Virtue para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del nombre del autor de una publicación en todas las versiones hasta la 3.4.8 incluida debido a una sanitización de entrada insuficiente y a un escape de salida cuando la función de publicaciones más recientes está habilitada en la página de inicio. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://themes.trac.wordpress.org/browser/virtue/3.4.8/templates/home/blog-home.php#L87 https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=225592%40virtue&new=225592%40virtue&sfp_email=&sfph_mail=#file18 https://www.wordfence.com/threat-intel/vulnerabilities/id/d8272233-afb3-46f1-ab85-189a3923e29d?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6964 – Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.1.26 - Authenticated(Contributor+) Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-6964
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.26 via the 'kadence_import_get_new_connection_data' AJAX action. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. El complemento Gutenberg Blocks de Kadence Blocks – Page Builder Features para WordPress es vulnerable a Server-Side Request Forgery en todas las versiones hasta la 3.1.26 incluida a través de la acción AJAX 'kadence_import_get_new_connection_data'. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, realicen solicitudes web a ubicaciones arbitrarias que se originan en la aplicación web y pueden usarse para consultar y modificar información de servicios internos. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3019592%40kadence-blocks&old=2996625%40kadence-blocks&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/b01ad77f-2349-48bb-b4e9-f7cbce435de9?source=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2919 – Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.31 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via CountUp Widget
https://notcve.org/view.php?id=CVE-2024-2919
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CountUp Widget in all versions up to, and including, 3.2.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Gutenberg Blocks by Kadence Blocks – Page Builder Features para WordPress es vulnerable a cross-site scripting almacenado a través de los widgets Countdown y CountUp en todas las versiones hasta la 3.2.31 incluida debido a una sanitización de entrada y a un escape de salida de los atributos proporcionados por el usuario insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3062911/kadence-blocks/trunk/includes/assets/js/kb-countup.min.js https://www.wordfence.com/threat-intel/vulnerabilities/id/b38a69c7-91d4-43be-8650-eb1f0029bd44?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •